This is really a terrible message and occurred to me too now (latest Xojo, universal build). I don’t mind to explain customers to get app out of Quarantine but explaining why the app is damaged and to open the Terminal is another thing. I really hope the Xojo devs can bring it back to the state where non-signed apps are just in Quarantine.
Maybe this helps: A guy from the community did some in-depth research and had some interesting findings:
Apparency report of M65Connect freshly unpacked…
“Gatekeeper: Can’t evaluate” = “Apparency can’t evaluate the Gatekeeper status because the signature itself is not valid, as shown by the Signed By identity (and documented below). Since the identity of the signing certificate can’t be relied upon, it doesn’t make sense to evaluate that identity against any Gatekeeper policy.”
Info property list…
(I’m learning out loud here, I don’t know yet if any of this is interesting or useful.)
Per that other article, “is damaged” is supposedly a hash mismatch between the contents of the app bundle and… I’m guessing some metadata in the app bundle itself. I wonder if something happens to the bundle contents after the com.apple.quarantine
attribute is generated… by… whatever generates it…
Before trying to clear attributes:
❯ xattr -l M65Connect.app
com.apple.quarantine: 0081;65d7a6fd;Arc;
❯ xattr -cr M65Connect.app
~/Downloads
❯ xattr -l M65Connect.app
com.apple.provenance:
The Apparency report only changes in one way after clearing attributes: the “Downloaded” data is now missing (which makes sense).
My guess for now is that my system policy is to allow non-downloaded apps that don’t match the hash, but disallow such apps if they’re downloaded (quarantined).
That other app that I can open via the right-click menu has “No signature” instead of “Ad-hoc signature.” Maybe that’s the difference.
There’s no shortage of complaints about macOS Gatekeeper on the Internet but it was interesting to read this from Michael Tsai, a professional macOS/iOS developer I follow: Michael Tsai - Blog - Resolving Trusted Execution Problems